Siemens Issues Fix for Maximum Severit flaw in Industrial Edge Devices
Take action: This is maximum severity, so don't ignore it. Review the advisory to check if you use any of these product lines. Ofcourse, make sure all industrial devices are isolated from the internet and accessible from trusted networks only. Then plan a quick update cycle.
Learn More
Siemens released a security advisory about an authorization bypass vulnerability in its Industrial Edge Device ecosystem that allows remote attackers to skip the login process entirely by interacting with specific API endpoints that fail to verify user identity.
The vulnerability is tracked as CVE-2025-40805 (CVSS score 10.0), an authorization bypass through a user-controlled key. An unauthenticated attacker can impersonate a legitimate user if they know that user's identity and gain the same permissions as the impersonated user, potentially leading to full system compromise and control over industrial processes.
Affected Siemens products include:
- Industrial Edge Cloud, Own, and Virtual Devices
- SCALANCE LPE9413 and LPE9433
- SIMATIC Automation Workstation 19" and 24"
- SIMATIC HMI MTP Unified Comfort Panels (700, 1000, 1200, 1500, 1900, 2200 series)
- SIMATIC IOT2050 and IPC models (BX-39A, BX-59A, 127E, 227E, 227G, 427E, 847E)
- SIPLUS HMI MTP Unified Comfort series
Siemens has released firmware updates for most of the affected hardware. Users should update:
- Industrial Edge devices to V1.24.2,
- SIMATIC IOT2050 to V1.25.1,
- SCALANCE LPE devices to V2.2.
- HMI panels to V21,
- IPC models to V3.1.
For certain products like the SIMATIC Automation Workstation, Siemens has not yet released a fix. In these cases, the company urges operators to restrict network access to trusted parties only.
